Welcome
CTI Tradecraft is an analyst’s notebook about cyber threat intelligence.
It is written for practitioners who already do the work—and want to think more clearly about it.
This site is not about chasing every new threat group, tool, or framework.
It is about judgement, tradecraft, and how intelligence actually functions inside real organisations.
If you are looking for daily threat news, IOC dumps, or tool walkthroughs, this may not be the right place.
If you are trying to become a better analyst, a stronger CTI lead, or a more credible intelligence partner, you’re in the right place.
Who This Site Is For
CTI Tradecraft is written primarily for:
- Mid-level CTI analysts who want to sharpen judgment, not just collect more data
- CTI leads and managers design, running, or fixing intelligence programs
- Practitioners transitioning from execution into decision support and leadership
You will likely find this site useful if you have ever:
- Felt “busy” in CTI but unsure of your actual impact
- Struggled to explain the value of intelligence to stakeholders
- Realised that tools and frameworks did not solve deeper analytical problems
- Wanted better ways to think, not just more things to do
How to Read CTI Tradecraft
Most articles here are written as reflections from practice.
They are not meant to be consumed quickly or skimmed in a single pass. Many pieces are designed to be revisited as your role, responsibilities, and perspective change.
You will not always find neat answers, but you will find better questions.
Discomfort is sometimes intentional. That is where learning starts.
Choose Your Path
If this is your first time here, start with the path closest to your current role.
If You Are a CTI Analyst
Start with these articles to ground your thinking:
- Judgement Is a Skill, Not an Instinct
- Data is Not Insight, and Tools Will Not Fix That
- The Intelligence Cycle is Not a Workflow
These focus on how analysts think, reason, and make decisions under uncertainty.
If You Lead or Manage CTI
Being here:
- Designing a CTI Program for Decisions, Not Dashboards
- Why CTI Metrics Usually Lie
- CTI for SOC vs CTI for Leadership
These explore how intelligence programs succeed, or quietly fail, inside organisations.
If You Analyse Threats and Campaigns
Start here:
- Why This Campaign Mattered (And Why Many Missed It)
- Not Every Incident Is Strategically Relevant
- Attribution Is Not the Point, Judgment Is
These articles focus less on who and more on why it mattered.
Explore by Pillar
CTI Tradecraft is organised into five core areas. Each represents a different aspect of intelligence work.
Foundations
How intelligence actually works, beyond definitions, diagrams, and buzzwords.
This section explores intelligence theory as it applies in practice, including decision support, estimation, and the limits of common models.
→ Explore Foundations
Tradecraft
How analysis think, judge, communicate, and fail.
This is the core of CTI Tradecraft. It focuses on analytical reasoning, cognitive bias, writing, and the human side of intelligence work.
→ Explore Tradecraft
Threat Analysis
Applied intelligence with context, interpretation, and restraint.
Campaigns and actors are analysed for meaning, not novelty.
→ Explore Threat Analysis
CTI Programs
Designing and running intelligence programs that survive reality.
This section addresses structure, trust, metrics, stakeholders, and the organisational challenges CTI teams face.
→ Explore CTI Programs
Field Notes
Reflections, lessons learned, and observations from the work.
These are shorter, more candid pieces, written without polish or pretense.
→ Explore Field Notes
About CTI Tradecraft
CTI Tradecraft is written by a practitioner who has spent years building, operating, and advising cyber threat intelligence functions.
The goal of this site is not to present a “perfect” CTI model.
It is to document how intelligence thinking evolves through real-world practice; successes, failures, and course corrections included.
The Long View
Over time, CTI Tradecraft will form the foundation of a structured learning environment focused on:
- Intelligence tradecraft
- Analyst development
- CTI leadership
If you have been reading here regularly, you will already be doing the work.
How to Use This Page Going Forward
Revisit this page occasionally.
As more articles are published, this page will be updated to highlight key reads and new entry points.
Think of it as an orientation guide, not a feed.
You Are Ready
If this page resonated with you, start with one article and read it slowly.
That is how this site is meant to be used.